The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the ‘wp_pinterest_automatic_parse_request’ function and the ‘process_form.php’ script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to make changes to product prices.
Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. The plugins impacted are: Product Filter for WooCommerce < 8.2.0, Improved Product Options for WooCommerce < 5.3.0, Improved Sale Badges for WooCommerce < 4.4.0, Share, Print and PDF Products for WooCommerce < 2.8.0, Product Loops for WooCommerce < 1.7.0, XforWooCommerce < 1.7.0, Package Quantity Discount < 1.2.0, Price Commander for WooCommerce < 1.3.0, Comment and Review Spam Control for WooCommerce < 1.5.0, Add Product Tabs for WooCommerce < 1.5.0, Autopilot SEO for WooCommerce < 1.6.0, Floating Cart < 1.3.0, Live Search for WooCommerce < 2.1.0, Bulk Add to Cart for WooCommerce < 1.3.0, Live Product Editor for WooCommerce < 4.7.0, and Warranties and Returns for WooCommerce < 5.3.0.
The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.
The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
python3.7-3.7.16-4.fc39
Automatic update for python3.7-3.7.16-4.fc39.
* Mon May 29 2023 Charalampos Stratakis <cstratak@redhat.com> – 3.7.16-4
– Fix for CVE-2023-24329
Resolves: rhbz#2174014
Security automation and orchestration platform Tines has added a new case management capability, dubbed Cases, to allow security teams to collaborate on security incidents.
This collaboration feature is aimed at enabling the teams to efficiently handle anomalies, automation, and remediations.
“With Cases, Tines users — which range from startups to Fortune 10 — can deploy a new capability that addresses the critical flaws in existing case management solutions, from a lack of customizations and integrations to complex interfaces that lead to mistakes and delays,” said Eoin Hinchy, founder of Tines.
Cloud security firm Sysdig has embedded cloud detection and response (CDR) into its cloud-native application protection platform (CNAPP). The company claims to be the first vendor to offer this consolidation, a move that enables its CNAPP to detect threats with 360-degree visibility and correlation across workloads, identities, cloud services, and third-party applications. It leverages Falco, a widely adopted open-source standard for cloud threat detection governed by the Cloud Native Computing Foundation, in both agent and agentless deployment models, Sysdig said.
As cloud adoption grows and organizations build out cloud environments, they face sprawling applications, services, and identities. Detecting and quickly responding to threats across these environments can be a significant challenge for businesses and their security teams, with vast amounts of cloud assets potentially vulnerable and going unchecked for significant periods of time.
The Russia-linked cybercrime gang thought to be behind a hack that has impacted companies around the world has posted a message to its corporate victims.
In short, firms affected by the MOVEit hack are being told to congtact the Cl0p ransomware group before June 14, or face the consequences.
syncthing-1.23.5-1.el8
Update to version 1.23.5. Addresses CVE-2022-46165.
